[apparmor] [patch] Remove support for writing change hat declarations ("^hat, ")
Christian Boltz
apparmor at cboltz.de
Sun Jun 7 12:51:14 UTC 2015
Hello,
change hat declarations ("^hat,") are no longer supported (see patch 46
for details). Therefore remove support for writing them.
This also means to completely remove the 'declared' flag, which was only
needed for hat declarations, and was (after applying patch 46) always
set to False.
Also add a hat to the cleanprof_test.{in,out} test profile to make sure
aa-cleanprof doesn't break hats.
(This is "just" a cleanup, so trunk only)
[ 47-remove-support-for-writing-hat-declarations.diff ]
=== modified file utils/apparmor/aa.py
--- utils/apparmor/aa.py 2015-06-07 14:09:36.000405129 +0200
+++ utils/apparmor/aa.py 2015-06-07 14:32:03.483282738 +0200
@@ -108,7 +108,7 @@
# a) rules (as dict): alias, include, lvar
# b) rules (as hasher): allow, deny
# c) one for each rule class
-# d) other: declared, external, flags, name, profile, attachment, initial_comment,
+# d) other: external, flags, name, profile, attachment, initial_comment,
# profile_keyword, header_comment (these two are currently only set by set_profile_flags())
aa = hasher() # Profiles originally in sd, replace by aa
original_aa = hasher()
@@ -1442,7 +1442,6 @@
ynans = aaui.UI_YesNo(_('A profile for %s does not exist.\nDo you want to create one?') % exec_target, 'n')
if ynans == 'y':
hat = exec_target
- aa[profile][hat]['declared'] = False
aa[profile][hat]['profile'] = True
if profile != hat:
@@ -3007,7 +3006,6 @@
flags = matches.group('flags')
profile_data[profile][hat]['flags'] = flags
- profile_data[profile][hat]['declared'] = False
#profile_data[profile][hat]['allow']['path'] = hasher()
#profile_data[profile][hat]['allow']['netdomain'] = hasher()
@@ -3473,15 +3471,11 @@
data += write_rules(profile_data[name], depth + 1)
pre2 = ' ' * (depth + 1)
- # External hat declarations
- for hat in list(filter(lambda x: x != name, sorted(profile_data.keys()))):
- if profile_data[hat].get('declared', False):
- data.append('%s^%s,' % (pre2, hat))
if not inhat:
# Embedded hats
for hat in list(filter(lambda x: x != name, sorted(profile_data.keys()))):
- if not profile_data[hat]['external'] and not profile_data[hat]['declared']:
+ if not profile_data[hat]['external']:
data.append('')
if profile_data[hat]['profile']:
data += list(map(str, write_header(profile_data[hat], depth + 1, hat, True, write_flags)))
@@ -3730,7 +3724,7 @@
depth = int((len(line) - len(line.lstrip())) / 2)
pre2 = ' ' * (depth + 1)
for hat in list(filter(lambda x: x != name, sorted(profile_data.keys()))):
- if not profile_data[hat]['external'] and not profile_data[hat]['declared']:
+ if not profile_data[hat]['external']:
data.append('')
if profile_data[hat]['profile']:
data += list(map(str, write_header(profile_data[hat], depth + 1, hat, True, include_flags)))
@@ -3990,16 +3984,9 @@
data.append(line)
elif RE_PROFILE_CHANGE_HAT.search(line):
- matches = RE_PROFILE_CHANGE_HAT.search(line).groups()
- hat = matches[0]
- hat = strip_quotes(hat)
- if not write_prof_data[hat]['declared']:
- correct = False
- if correct:
- data.append(line)
- else:
- #To-Do
- pass
+ # "^hat," declarations are no longer supported, ignore them and don't write out the line
+ # (parse_profile_data() already prints a warning about that)
+ pass
elif RE_PROFILE_HAT_DEF.search(line):
matches = RE_PROFILE_HAT_DEF.search(line)
in_contained_hat = True
@@ -4009,8 +3996,6 @@
if not write_prof_data[hat]['flags'] == flags:
correct = False
- if not write_prof_data[hat]['declared'] is False:
- correct = False
if not write_filelist['profile'][profile][hat]:
correct = False
if correct:
=== modified file utils/test/cleanprof_test.in
--- utils/test/cleanprof_test.in 2015-05-25 17:30:59.798783638 +0200
+++ utils/test/cleanprof_test.in 2015-06-07 14:45:06.807307887 +0200
@@ -7,6 +7,12 @@
#Below rule comes from abstractions/base
allow /usr/share/X11/locale/** r,
allow /home/*/** r,
+
+ ^foo {
+ /etc/fstab r,
+ capability dac_override,
+ }
+
allow /home/foo/bar r,
allow /home/foo/** w,
}
=== modified file utils/test/cleanprof_test.out
--- utils/test/cleanprof_test.out 2015-05-25 17:30:59.798783638 +0200
+++ utils/test/cleanprof_test.out 2015-06-07 14:46:15.334296605 +0200
@@ -9,6 +9,13 @@
/home/*/** r,
/home/foo/** w,
+
+ ^foo {
+ capability dac_override,
+
+ /etc/fstab r,
+
+ }
}
/usr/bin/other/cleanprof/test/profile {
/home/*/** rw,
Regards,
Christian Boltz
--
IT is everything that is more complicated than pushing buttons in
the elevator. [from http://www.orkpiraten.de/blog/ugly-kid-jeans]
More information about the AppArmor
mailing list